IIS web proxy

TheMSsForum.com: The Microsoft Software Forum

Hello All,
I want to publish my website from behind a firewall, how can I do that?
Here is my setup.
I have a small intranet which is configured as follows

Router facing the internet configured with NAT so port redirect has been
configured.

IIS is installed on a SBS2K server behind the Router, there is an ISA
firewall running on the SBS2K server.

port 80 and 8080 is being used by ISA web proxy, so IIS sites are running on
port 801.

Now I redirect port 801 from router to the IIS to service one website on the
SBS2K, works fine.

Now I also have a separate development server on our intranet from which I
want to publish a website.

Since router can only publish websites from the IIS installed on the SBS2K,
the only way I can think of publishing a website from the dev server is to
use a web proxy somehow, like one provided in Apache webserver. i.e request
comes to IIS of SBS2K which does a proxy for the IIS on the Dev Server and
services the website.

Is there a way to do that with IIS? if not is there an alternate solution
without compromising the security of the network? I do not want to create a
DMZ, and I do not want to put the dev server directly behind the router.

Any suggestions please ?

Imran.
Top

Re: IIS web proxy by jeff

jeff
Fri Feb 04 07:15:47 CST 2005

On Fri, 4 Feb 2005 10:42:02 -0000, "Imran Aziz" <imran@bindweb.com>
wrote:

> I want to publish my website from behind a firewall, how can I do that?

Open the proper ports in the firewall, provide network address
translation if needed.

>Here is my setup.
>I have a small intranet which is configured as follows
>
>Router facing the internet configured with NAT so port redirect has been
>configured.
>
>IIS is installed on a SBS2K server behind the Router, there is an ISA
>firewall running on the SBS2K server.
>
>port 80 and 8080 is being used by ISA web proxy, so IIS sites are running on
>port 801.
>
>Now I redirect port 801 from router to the IIS to service one website on the
>SBS2K, works fine.
>
>Now I also have a separate development server on our intranet from which I
>want to publish a website.
>
>Since router can only publish websites from the IIS installed on the SBS2K,
>the only way I can think of publishing a website from the dev server is to
>use a web proxy somehow, like one provided in Apache webserver. i.e request
>comes to IIS of SBS2K which does a proxy for the IIS on the Dev Server and
>services the website.
>
>Is there a way to do that with IIS?

No.

>if not is there an alternate solution
>without compromising the security of the network?

SBS has ISA, which should do this.

>I do not want to create a
>DMZ, and I do not want to put the dev server directly behind the router.

Then you've eliminated one option that would have worked as well.

Jeff
Top

Re: IIS web proxy by Imran

Imran
Fri Feb 04 08:57:30 CST 2005

Hello Jeff,
Thanks a lot for your response, Sorry I missed out one thing. There is a
website already published from SBS2K, so all the firewall and Router rules
are setup fine for that, and I do understand them, the issue is now with
this development machine, how can I publish IIS sites from another server
using the SBS2K, since all traffic goes through SBS, and Dev Server is on
the internal network, and is not connected to the external interface facing
the router, so how do request route from the router to the Dev Server, since
they will have to go through SBS to do so.
You mentioned this can be done using ISA, any leads as to how to get
that done, since after more then a year of working with ISA it still is a
black box to me :)

Imran.

"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:420b751d.259721639@msnews.microsoft.com...
> On Fri, 4 Feb 2005 10:42:02 -0000, "Imran Aziz" <imran@bindweb.com>
> wrote:
>
>> I want to publish my website from behind a firewall, how can I do
>> that?
>
> Open the proper ports in the firewall, provide network address
> translation if needed.
>
>>Here is my setup.
>>I have a small intranet which is configured as follows
>>
>>Router facing the internet configured with NAT so port redirect has been
>>configured.
>>
>>IIS is installed on a SBS2K server behind the Router, there is an ISA
>>firewall running on the SBS2K server.
>>
>>port 80 and 8080 is being used by ISA web proxy, so IIS sites are running
>>on
>>port 801.
>>
>>Now I redirect port 801 from router to the IIS to service one website on
>>the
>>SBS2K, works fine.
>>
>>Now I also have a separate development server on our intranet from which I
>>want to publish a website.
>>
>>Since router can only publish websites from the IIS installed on the
>>SBS2K,
>>the only way I can think of publishing a website from the dev server is to
>>use a web proxy somehow, like one provided in Apache webserver. i.e
>>request
>>comes to IIS of SBS2K which does a proxy for the IIS on the Dev Server and
>>services the website.
>>
>>Is there a way to do that with IIS?
>
> No.
>
>>if not is there an alternate solution
>>without compromising the security of the network?
>
> SBS has ISA, which should do this.
>
>>I do not want to create a
>>DMZ, and I do not want to put the dev server directly behind the router.
>
> Then you've eliminated one option that would have worked as well.
>
> Jeff


Top

Re: IIS web proxy by BP

BP
Fri Feb 04 11:07:05 CST 2005

Is this a multihomed server, 2 Nics?
If so is the local nic IP addresss not assigned in iis root web? I ask this because U
mention
external interface to router on SBS this would lead one to believe more than one exists.
If
that is the case why not assign both address to iis even though you have to bind another
in
advanced properties of nic as a work around to ISA being at same port 80 then disable
socket pooling on iis5.0 allowing it to share port 80 at another local address.
I have done the same to allow Netshow unicast service to bind on port 80
and iis5.0 port 80 without error. Add the entry into DNS for the new address
and publish web via name entered into dns like ww1.myweb.com. Don't believe it
will interfere with ISA as it uses the first local bound address and iis5.0
will use the other new local bound address. IIs assumes it owns port 80 and
is unwilling to give it up without disabling socket pooling as I have learned.
To disable socket pooling for an IIS 5.0 Web site
1.. At the command prompt, type cd SystemDrive\inetpub\adminscripts.
2.. At the SystemDrive\Inetpub\AdminScripts command prompt, type
cscript adsutil.vbs set w3svc/disablesocketpooling true.

The command prompt will reply:

disablesocketpooling : (BOOLEAN) TRUE


"Imran Aziz" <imran@bindweb.com> wrote in message
news:OeMKXosCFHA.1604@TK2MSFTNGP10.phx.gbl...
> Hello Jeff,
> Thanks a lot for your response, Sorry I missed out one thing. There is a
> website already published from SBS2K, so all the firewall and Router rules
> are setup fine for that, and I do understand them, the issue is now with
> this development machine, how can I publish IIS sites from another server
> using the SBS2K, since all traffic goes through SBS, and Dev Server is on
> the internal network, and is not connected to the external interface facing
> the router, so how do request route from the router to the Dev Server, since
> they will have to go through SBS to do so.
> You mentioned this can be done using ISA, any leads as to how to get
> that done, since after more then a year of working with ISA it still is a
> black box to me :)
>
> Imran.
>
> "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
> news:420b751d.259721639@msnews.microsoft.com...
> > On Fri, 4 Feb 2005 10:42:02 -0000, "Imran Aziz" <imran@bindweb.com>
> > wrote:
> >
> >> I want to publish my website from behind a firewall, how can I do
> >> that?
> >
> > Open the proper ports in the firewall, provide network address
> > translation if needed.
> >
> >>Here is my setup.
> >>I have a small intranet which is configured as follows
> >>
> >>Router facing the internet configured with NAT so port redirect has been
> >>configured.
> >>
> >>IIS is installed on a SBS2K server behind the Router, there is an ISA
> >>firewall running on the SBS2K server.
> >>
> >>port 80 and 8080 is being used by ISA web proxy, so IIS sites are running
> >>on
> >>port 801.
> >>
> >>Now I redirect port 801 from router to the IIS to service one website on
> >>the
> >>SBS2K, works fine.
> >>
> >>Now I also have a separate development server on our intranet from which I
> >>want to publish a website.
> >>
> >>Since router can only publish websites from the IIS installed on the
> >>SBS2K,
> >>the only way I can think of publishing a website from the dev server is to
> >>use a web proxy somehow, like one provided in Apache webserver. i.e
> >>request
> >>comes to IIS of SBS2K which does a proxy for the IIS on the Dev Server and
> >>services the website.
> >>
> >>Is there a way to do that with IIS?
> >
> > No.
> >
> >>if not is there an alternate solution
> >>without compromising the security of the network?
> >
> > SBS has ISA, which should do this.
> >
> >>I do not want to create a
> >>DMZ, and I do not want to put the dev server directly behind the router.
> >
> > Then you've eliminated one option that would have worked as well.
> >
> > Jeff
>
>


Top

Re: IIS web proxy by jeff

jeff
Fri Feb 04 15:47:52 CST 2005

On Fri, 4 Feb 2005 14:57:30 -0000, "Imran Aziz" <imran@bindweb.com>
wrote:

>Hello Jeff,
> Thanks a lot for your response, Sorry I missed out one thing. There is a
>website already published from SBS2K, so all the firewall and Router rules
>are setup fine for that, and I do understand them, the issue is now with
>this development machine, how can I publish IIS sites from another server
>using the SBS2K, since all traffic goes through SBS, and Dev Server is on
>the internal network, and is not connected to the external interface facing
>the router, so how do request route from the router to the Dev Server, since
>they will have to go through SBS to do so.
> You mentioned this can be done using ISA, any leads as to how to get
>that done, since after more then a year of working with ISA it still is a
>black box to me :)

For that there's an ISA group. :)

Though there may be an issue with ISA on SBS. SBS is designed to be
the sole server, so ISA with it may be restricted compared to the
normal ISA. I'm not an SBS guy so I can't say for sure, but an SBS
group would likely know the answer.

Beyond that it's really just routing. You have the internet to your
router, to your SBS/ISA, to your dev server. And back. You'll need
to set a default gateway on the dev server to the SBS, and it gets a
default gateway of the router, which has a default gateway to your
internet provider. Each would need a route to the dev server's
logical network pointing to whatever the next hop to it is.

Jeff


>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>news:420b751d.259721639@msnews.microsoft.com...
>> On Fri, 4 Feb 2005 10:42:02 -0000, "Imran Aziz" <imran@bindweb.com>
>> wrote:
>>
>>> I want to publish my website from behind a firewall, how can I do
>>> that?
>>
>> Open the proper ports in the firewall, provide network address
>> translation if needed.
>>
>>>Here is my setup.
>>>I have a small intranet which is configured as follows
>>>
>>>Router facing the internet configured with NAT so port redirect has been
>>>configured.
>>>
>>>IIS is installed on a SBS2K server behind the Router, there is an ISA
>>>firewall running on the SBS2K server.
>>>
>>>port 80 and 8080 is being used by ISA web proxy, so IIS sites are running
>>>on
>>>port 801.
>>>
>>>Now I redirect port 801 from router to the IIS to service one website on
>>>the
>>>SBS2K, works fine.
>>>
>>>Now I also have a separate development server on our intranet from which I
>>>want to publish a website.
>>>
>>>Since router can only publish websites from the IIS installed on the
>>>SBS2K,
>>>the only way I can think of publishing a website from the dev server is to
>>>use a web proxy somehow, like one provided in Apache webserver. i.e
>>>request
>>>comes to IIS of SBS2K which does a proxy for the IIS on the Dev Server and
>>>services the website.
>>>
>>>Is there a way to do that with IIS?
>>
>> No.
>>
>>>if not is there an alternate solution
>>>without compromising the security of the network?
>>
>> SBS has ISA, which should do this.
>>
>>>I do not want to create a
>>>DMZ, and I do not want to put the dev server directly behind the router.
>>
>> Then you've eliminated one option that would have worked as well.
>>
>> Jeff
>

Top

Re: IIS web proxy by Imran

Imran
Mon Feb 07 08:32:28 CST 2005

Hello Jeff,
You are right this surly seems to be an ISA issue, I did manage to find
some real nice articles about publishing websites from behind an ISA
firewall and now trying to get it sorted. As for the routing its configured
exactly the way you have stated, Dev Server has SBS as the default gateway,
and SBS has the ISP's gateway configured, so just need to get this routed
through the ISA firewall.
Here are the articles that I found, in case someone else also comes across
this issue.

http://www.isaserver.org/tutorials/A_Web_Site_Using_ISA_Server_Part_1_Preparing_To_Publish_Your_Site.html

http://www.isaserver.org/tutorials/Publishing_Multiple_Web_Sites_using_Web_Publishing_Rules.html

Imran.

"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:4204ec5e.290246101@msnews.microsoft.com...
> On Fri, 4 Feb 2005 14:57:30 -0000, "Imran Aziz" <imran@bindweb.com>
> wrote:
>
>>Hello Jeff,
>> Thanks a lot for your response, Sorry I missed out one thing. There is
>> a
>>website already published from SBS2K, so all the firewall and Router rules
>>are setup fine for that, and I do understand them, the issue is now with
>>this development machine, how can I publish IIS sites from another server
>>using the SBS2K, since all traffic goes through SBS, and Dev Server is on
>>the internal network, and is not connected to the external interface
>>facing
>>the router, so how do request route from the router to the Dev Server,
>>since
>>they will have to go through SBS to do so.
>> You mentioned this can be done using ISA, any leads as to how to get
>>that done, since after more then a year of working with ISA it still is a
>>black box to me :)
>
> For that there's an ISA group. :)
>
> Though there may be an issue with ISA on SBS. SBS is designed to be
> the sole server, so ISA with it may be restricted compared to the
> normal ISA. I'm not an SBS guy so I can't say for sure, but an SBS
> group would likely know the answer.
>
> Beyond that it's really just routing. You have the internet to your
> router, to your SBS/ISA, to your dev server. And back. You'll need
> to set a default gateway on the dev server to the SBS, and it gets a
> default gateway of the router, which has a default gateway to your
> internet provider. Each would need a route to the dev server's
> logical network pointing to whatever the next hop to it is.
>
> Jeff
>
>
>>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>>news:420b751d.259721639@msnews.microsoft.com...
>>> On Fri, 4 Feb 2005 10:42:02 -0000, "Imran Aziz" <imran@bindweb.com>
>>> wrote:
>>>
>>>> I want to publish my website from behind a firewall, how can I do
>>>> that?
>>>
>>> Open the proper ports in the firewall, provide network address
>>> translation if needed.
>>>
>>>>Here is my setup.
>>>>I have a small intranet which is configured as follows
>>>>
>>>>Router facing the internet configured with NAT so port redirect has been
>>>>configured.
>>>>
>>>>IIS is installed on a SBS2K server behind the Router, there is an ISA
>>>>firewall running on the SBS2K server.
>>>>
>>>>port 80 and 8080 is being used by ISA web proxy, so IIS sites are
>>>>running
>>>>on
>>>>port 801.
>>>>
>>>>Now I redirect port 801 from router to the IIS to service one website on
>>>>the
>>>>SBS2K, works fine.
>>>>
>>>>Now I also have a separate development server on our intranet from which
>>>>I
>>>>want to publish a website.
>>>>
>>>>Since router can only publish websites from the IIS installed on the
>>>>SBS2K,
>>>>the only way I can think of publishing a website from the dev server is
>>>>to
>>>>use a web proxy somehow, like one provided in Apache webserver. i.e
>>>>request
>>>>comes to IIS of SBS2K which does a proxy for the IIS on the Dev Server
>>>>and
>>>>services the website.
>>>>
>>>>Is there a way to do that with IIS?
>>>
>>> No.
>>>
>>>>if not is there an alternate solution
>>>>without compromising the security of the network?
>>>
>>> SBS has ISA, which should do this.
>>>
>>>>I do not want to create a
>>>>DMZ, and I do not want to put the dev server directly behind the router.
>>>
>>> Then you've eliminated one option that would have worked as well.
>>>
>>> Jeff
>>
>


Top

Re: IIS web proxy by Imran

Imran
Mon Feb 07 08:57:51 CST 2005

Hello,
Thanks for your response, but I don't have any problem publishing webs
from the IIS installed on the SBS, its the Dev Server that is within the
network that I want to publish a website from. And yes the server is
multihomed, and I have got webs on the external IP address, which can be
published easily. Dev Server is on the internal network, so it cannot have
external IP addresses, hence some routing technique is required to publish
the webs from the Dev Box.
Imran.
"BP" <jobseeker04@iwon.com> wrote in message
news:edRV1vtCFHA.3100@TK2MSFTNGP09.phx.gbl...
> Is this a multihomed server, 2 Nics?
> If so is the local nic IP addresss not assigned in iis root web? I ask
> this because U
> mention
> external interface to router on SBS this would lead one to believe more
> than one exists.
> If
> that is the case why not assign both address to iis even though you have
> to bind another
> in
> advanced properties of nic as a work around to ISA being at same port 80
> then disable
> socket pooling on iis5.0 allowing it to share port 80 at another local
> address.
> I have done the same to allow Netshow unicast service to bind on port 80
> and iis5.0 port 80 without error. Add the entry into DNS for the new
> address
> and publish web via name entered into dns like ww1.myweb.com. Don't
> believe it
> will interfere with ISA as it uses the first local bound address and
> iis5.0
> will use the other new local bound address. IIs assumes it owns port 80
> and
> is unwilling to give it up without disabling socket pooling as I have
> learned.
> To disable socket pooling for an IIS 5.0 Web site
> 1.. At the command prompt, type cd SystemDrive\inetpub\adminscripts.
> 2.. At the SystemDrive\Inetpub\AdminScripts command prompt, type
> cscript adsutil.vbs set w3svc/disablesocketpooling true.
>
> The command prompt will reply:
>
> disablesocketpooling : (BOOLEAN) TRUE
>
>
> "Imran Aziz" <imran@bindweb.com> wrote in message
> news:OeMKXosCFHA.1604@TK2MSFTNGP10.phx.gbl...
>> Hello Jeff,
>> Thanks a lot for your response, Sorry I missed out one thing. There
>> is a
>> website already published from SBS2K, so all the firewall and Router
>> rules
>> are setup fine for that, and I do understand them, the issue is now with
>> this development machine, how can I publish IIS sites from another server
>> using the SBS2K, since all traffic goes through SBS, and Dev Server is on
>> the internal network, and is not connected to the external interface
>> facing
>> the router, so how do request route from the router to the Dev Server,
>> since
>> they will have to go through SBS to do so.
>> You mentioned this can be done using ISA, any leads as to how to get
>> that done, since after more then a year of working with ISA it still is a
>> black box to me :)
>>
>> Imran.
>>
>> "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>> news:420b751d.259721639@msnews.microsoft.com...
>> > On Fri, 4 Feb 2005 10:42:02 -0000, "Imran Aziz" <imran@bindweb.com>
>> > wrote:
>> >
>> >> I want to publish my website from behind a firewall, how can I do
>> >> that?
>> >
>> > Open the proper ports in the firewall, provide network address
>> > translation if needed.
>> >
>> >>Here is my setup.
>> >>I have a small intranet which is configured as follows
>> >>
>> >>Router facing the internet configured with NAT so port redirect has
>> >>been
>> >>configured.
>> >>
>> >>IIS is installed on a SBS2K server behind the Router, there is an ISA
>> >>firewall running on the SBS2K server.
>> >>
>> >>port 80 and 8080 is being used by ISA web proxy, so IIS sites are
>> >>running
>> >>on
>> >>port 801.
>> >>
>> >>Now I redirect port 801 from router to the IIS to service one website
>> >>on
>> >>the
>> >>SBS2K, works fine.
>> >>
>> >>Now I also have a separate development server on our intranet from
>> >>which I
>> >>want to publish a website.
>> >>
>> >>Since router can only publish websites from the IIS installed on the
>> >>SBS2K,
>> >>the only way I can think of publishing a website from the dev server is
>> >>to
>> >>use a web proxy somehow, like one provided in Apache webserver. i.e
>> >>request
>> >>comes to IIS of SBS2K which does a proxy for the IIS on the Dev Server
>> >>and
>> >>services the website.
>> >>
>> >>Is there a way to do that with IIS?
>> >
>> > No.
>> >
>> >>if not is there an alternate solution
>> >>without compromising the security of the network?
>> >
>> > SBS has ISA, which should do this.
>> >
>> >>I do not want to create a
>> >>DMZ, and I do not want to put the dev server directly behind the
>> >>router.
>> >
>> > Then you've eliminated one option that would have worked as well.
>> >
>> > Jeff
>>
>>
>
>


Top